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DETAILED ACTION 

1. Claim 1-20 are pending in this office action, claims 16-20 are newly added. 

2. Applicant's arguments, filed June 29, 2006, have been fully considered but they 
are not persuasive. 

Claim Rejections 

3. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

Claim Rejections - 35 USC § 102 

4. Claims 1-20 are rejected under 35 U.S.C. 102(e) as being anticipated by Vaidva 
(U.S. Patent No. 6,279,113). 

Regarding claim 1 . Vaidva teaches a node of a network maintaining an instance 
of an intrusion prevention system, comprising: 

• A memory module for storing data in a machine-readable format for retrieval and 
execution by a central processing unit (fig. 2, ref. num 39); and 

• An operating system comprising 

o A network stack comprising a protocol driver, a media access control 
driver and an instance of the intrusion prevention system implemented as 
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an intermediate driver and bound to the protocol driver and the media 
access control driver (col. 7, lines 18-24), 
• The intrusion prevention system comprising an associative process engine and 
an input/output control layer (fig. 2, ref. num 10), 

o The input/output control layer operable to receive at least one of a plurality 
of machine-readable network-exploit signatures from a database and 
provide the at least one machine-readable network-exploit signature to the 
associated process engine (fig. 3, ref. num 58), 

o The associated process engine operable to compare a packet with the at 
least one machine-readable network-exploit signature and determine a 
correspondence between the packet and the at least one machine- 
readable network-exploit signature (fig. 3, ref. num 64). 

Regarding claim 2 . Vaidva teaches wherein the database is maintained in a 
storage device of the node (fig, 2, ref. num 26). 

Regarding claim 3 . Vaidva teaches wherein each of the plurality of machine- 
readable network-exploit signatures comprise a respective directive that defines 
instructions to be executed upon determination of a correspondence between the 
packet and the respective exploit signature (col. 6, lines 1-11). 
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Regarding claims 4 and 5 . Vaidva teaches wherein, upon determination of a 
correspondence between the packet and two or more of the plurality of machine- 
readable network-exploit signatures, [each of the directives/an alternative directive] of 
the two or more machine-readable network-exploit signatures are executed by the 
intrusion prevention system (col. 7, lines 41-45 and lines 62-67). 

Regarding claim 6 . Vaidva teaches a method of analyzing a packet at a node of a 
network by an intrusion prevention system executed by the node (fig. 3), comprising: 

• Reading the packet by the intrusion prevention system (fig. 3, ref. num 58); 

• Comparing the packet with a plurality of machine-readable network-exploit 
signatures (fig. 3, ref. num 64); and 

• Determining a correspondence between the packet and at least two of the 
plurality of machine-readable network-exploit signatures (fig. 3, ref. num 64 and 
col. 7, lines 12-24). 

Regarding claim 7 . Vaidva teaches further comprising generating a record of the 
at least two of the plurality of machine-readable network-exploit signatures with which a 
correspondence with the packet is made (col. 7, lines 32-34). 



Regarding claim 8 . Vaidva teaches further comprising transmitting the record to a 
management node connected to the network (col. 6, lines 21-24). 
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Regarding claim 9 . Vaidva teaches further comprising logging the record in a 
database (coL 5, lines 47-51). 

Regarding claims 10-12 . Vaidva teaches further comprising executing, by the 
intrusion protection system, a [respective/at least one/an alternative] directive of each of 
the at least two machine-readable signatures determined to correspond with the packet 
(col. 7, lines 41-45). 

Regarding claim 13 . Vaidva teaches a computer-readable medium having stored 
thereon a set of instructions to be executed, the set of instructions, when executed by a 
processor, cause the processor to perform a computer method of: 

• Comparing a packet with a plurality of machine-readable network-exploit 
signatures (fig, 3, ref. num 64); 

• Determining a correspondence between the packet and at least two of the 
plurality of machine-readable network-exploit signatures (fig. 3, ref. num 64 and 
col. 7, lines 12-24); and 

• Generating a record of the at least two signatures with which the correspondence 
is made (col. 7, lines 32-35). 

Regarding claim 14 . Vaidva teaches further comprising a set of instructions that 
cause, when executed by the processor, the processor to perform a computer method 
of: 
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• Determining a correspondence between the packet and a subset of the plurality 
of machine-readable network-exploit signatures, each machine-readable 
network-exploit signature comprising a directive (fig. 3, ref. num 64 and col. 7, 
lines 12-24 and col. 7, lines 51-62); and 

• Executing, by the processor, each directive of the record of machine-readable 
signatures (col. 7, lines 62-67). 

Regarding claim 15 , Vaidva teaches further comprising a set of instructions that 
cause, when executed by the processor, the processor to perform a computer method 
of executing a directive dependent on the corresponding machine-readable network- 
exploit signatures (col. 7, lines 41-45). 

Regarding claim 16 . Vaidva teaches wherein said set of instructions for 
performing said comparing is implemented as an intermediate driver within a network 
stack of an operating system (col. 7, lines 18-24). 

Regarding claim 17 . Vaidva teaches wherein said intermediate driver is bound to 
a protocol driver and a media access control driver included in said network stack (col. 
7, lines 18-24). 



Regarding claim 18 . Vaidva teaches wherein the intermediate driver further 
comprises: 
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• An associative process engine and an input/output control layer (fig. 2, ref. num 
10); 

• Wherein the input/output control layer comprises instructions operable to receive 
the at least two of the plurality of machine-readable network-exploit signatures 
from a database and provide the at least two machine-readable network-exploit 
signatures to the associative process engine (fig. 3, ref. num 58); and 

• Wherein the associative process engine performs the comparing and determining 
(fig. 3, ref. num 64). 

Regarding claim 19 . Vaidva teaches wherein said set of instructions for 
performing said determining is implemented as said intermediate driver within said 
network stack of said operating system (col. 7, lines 1 8-24). 

Regarding claim 20 . Vaidva teaches wherein said set of instructions for 
performing said determining is implemented as an intermediate driver within a network 
stack of an operating system (col. 7, lines 18-24). 

Response to Arguments 

5. Applicant argues: 

a. Independent claim 1 is not taught by the reference to include a network 
stack that includes an instance of the intrusion prevention system implemented 
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as an intermediate driver (page 6, last paragraph through page 7, third 
paragraph). 

b. Independent claim 1 3 is not taught by the reference to include determining 
a correspondence between a packet and at least two of the plurality of machine- 
readable network-exploit signatures (page 7, last paragraph through page 9). 

Regarding argument (a), examiner disagrees with applicant. Column 7, lines 18- 
24 of Vaidya teach a data packet that includes an IP header, MAC header information. 
The passage continues by saying that extracting the above data helps detect network 
intrusions. The IP header is a protocol; the MAC header information is the media 
access control; the extraction of both enable the detection of network intrusions, which 
constitutes the instance of the IPS as an intermediate. The computers in this reference 
contain a network stack. The extraction of packet information enables detection of 
network intrusions at different layers of the OSI model (col. 7, lines 21-24). The 
intrusion prevention system (IPS) is implemented as an intermediate driver because the 
IPS works based on information found between (or intermediate) MAC driver 
Information and protocol drivei information. 

Regarding argument (b), examiner disagrees with applicant. Examiner would like 
to point applicant to column 7 of Vaidya. The section cited by the examiner, and 
reproduced in the response by applicant explains the process of extracting information 
from a packet to determine which signature profile(s) will be accessed. Further down in 
the column, while still teaching about the same subject matter, Vaidya goes into further 
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detail (lines 46-67) about how multiple signature profiles are used to detect sequential 
attack signatures by comparing multiple expressions using the multiple profiles. This 
clearly shows determining a correspondence between a packet and at least two 
machine-readable network-exploit signatures. 

Conclusion 

6. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Brandon S. Hoffman whose telephone number is 571- 
272-3863. The examiner can normally be reached on M-F 8:30 - 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser G. Moazzami can be reached on 571-272-4195. The fax phone 
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number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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